Security News > 2023 > October > RCE exploit for Wyze Cam v3 publicly released, patch now

RCE exploit for Wyze Cam v3 publicly released, patch now
2023-10-30 20:46

A security researcher has published a proof-of-concept exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices.

Security researcher Peter Geissler recently discovered two flaws in the latest Wyze Cam v3 firmware that can be chained together for remote code execution on vulnerable devices.

The exploit released by Geissler on GitHub chains these two flaws to give attackers an interactive Linux root shell, turning vulnerable Wyze v3 cameras into persistent backdoors and allowing attackers to pivot to other devices in the network.

In a private discussion, Geissler explained to BleepingComputer that he made his exploit available to the public before most Wyze users could apply the patch to express his disapproval of Wyze's patching strategies.

While Geissler admits that it is common for vendors to patch a bug that breaks exploit chains before the competition, he accuses Wyze of singling out that specific device to avoid negative PR from the competition, as the bug was allegedly not fixed in other devices.

Wyze told another security researcher that they were only notified of the Wyze Cam v3 bug a few days before the competition and are now investigating whether it is in other devices' firmware.

News URL